Thousands of accounts breached in CRA ‘credential stuffing’ cyberattack

The Canada Revenue Agency’s (CRA) has been hit with a “credential stuffing” cyberattack, resulting in usernames and data being accessed.

According to a statement from the CRA, the passwords and usernames of 9,041 users were “acquired fraudulently” and used to try and access government of Canada services.

A statement from the Canadian government reads as follows:

“Used by approximately 30 federal departments, GCKey allows Canadians to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity.”

The government says that these attacks utilized passwords and usernames collected from previous hacks of accounts on other platforms. The hackers “took advantage of the fact that many people reuse passwords and usernames across multiple accounts.” The Treasury Board suggests users use unique passwords for different accounts.

Affected GCkey accounts were cancelled as soon as the threat was discovered, and the government is contacting users whose credentials were revoked to provide instructions on how to get a new GCKey.

The government notes that it has taken CRA online services offline as a result of the breach, and that it expects the services to be back online sometime this week, as reported by the CBC.

Further, the RCMP has said that it is looking into the cyberattack, and the Privacy Commissioner of Canada is currently monitoring the situation.

Source: Government of Canada